WTF is GDPR and does it matter for your organization?

For advocates of a free, open, and fair internet the widely adopted GDPR may be seen as a triumph for legally entrenched privacy protection. For businesses and organizations who function online, the revised regulations may seem burdensome or confusing. And for internet crawl bots, things are about to get interesting.

What is the GDPR? The General Data Protection Regulation, as it’s also known, is a set of 99 legal articles adopted by the European Union and in effect as of 2018, which specifies the collection and handling of personal data gathered by websites, apps, and the like. Pretty simple.

As the framers of the legal articles put it, the purpose is to strengthen laws on data protection and give internet users control over their personal data. That’s a goal that resonates with us, even if it means changing how we collect data and adapting our digital properties to meet the new requirements.

And meet them we should! Er–must? Well it depends. It’s true that the regulations were adopted by the European Union and only apply to EU citizens (Britain will be implementing its own version that’s basically the same) but that doesn’t mean your organization won’t be effected, or that you shouldn’t care personally about applying the new standards.

For large organizations, whether business or nonprofit, these new requirements have already meant a major overhaul of how data gets collected and stored, and what information is shared with website users. You’ve probably noticed that many websites now have those ‘we-just-need-to-let-you-know-we-use-cookies’ pop up modals.

Big companies and other organizations have spent like crazy this year to accommodate the new rules. Why? Because millions are on the line, literally. For global organizations the legal penalty for violating the GDPR is a fine of 4% of global digital revenues or €20m. This penalty is for wanton and knowing violation of the rules and it’s not something that almost any firms outside Europe–much less our clients–need to worry about.

However, as of this year EU citizens using websites originating anywhere in the world will have legal recourse to the protections afforded by the new rules. What does that mean? Basically, even if you manage or operate a website, mobile app, or server outside of Europe, if your visitors are European citizens, they can petition for–and will increasingly expect–your website to collect, store, and handle their data in line with the stipulations of the GDPR, not to mention receive informed consent before collecting sensitive data.

Okay, so what does it mean for your website? (We’ll get to the actual stipulations soon!) Well, avoiding or ignoring the GDPR rules is sort of like fudging your taxes. Sure, a lot of people are going to do it. And many of them, perhaps most, will fly under the radar. If you choose not to follow these international standards, your site may never receive a complaint, you may never be subject to any sort of penalties.

But some people will, and that includes people who manage small e-commerce sites, non-profit website, even blogs–if you collect cookies, email addresses, names, browser histories, or any other data from your online visitors, you could be subject to these regulations.

From our new Compliance + Security audit

And moreover, ignoring these stipulations is sort of like fudging your taxes because even though it’s maybe not a huge deal and even though lots of people are going to do it with no repercussions, it’s just not cool. These laws weren’t deliberated over for more than 20 years and written and rewritten and agreed upon by dozens of democratic nations because burdensome regulation is super fun. It’s because the average website user has a right to know what data is being collected on them, to opt out, to retain their privacy, and to have those who keep their data do so with care and ethical consideration.

The EU itself has a great website set up to both explain the GDPR and also dive into the philosophy behind it. Definitely worth checking out, but in case you don’t, here’s a quote from the ‘rights’ section:

“You, as a data subject, now own your data. Some of your personal data consists of socially oriented categories that contain things such as race, ethnicity, gender, bio-data, sexual orientation, and political and religious opinions, which cannot be handled without your consent. As a user, you have certain rights that are set to safeguard your freedom and help you control your personal data.”

The GDPR is, in effect, an enumeration of several rights of internet users. (Check out the video below, also from the EU’s official website, which elaborates on that.)

But the second question for business owners, nonprofit directors, and webmasters is: How will this apply to me?

In the last part of this post, I’m going to quickly explain the most relevant stipulations of the GDPR and, if applicable, what you may need to do to adapt to the new standards.

But the comprehensive answer of ‘How will this apply to us?’ depends a lot on the ‘us’. Maine Creative just launched a service that brings digital properties into full compliance with the GDPR and works with managers to understand and adhere to the regulations. We’re currently offering this customized GDPR solution as part of our Compliance + Security package, which you can check out by clicking the link. Or, get in touch with us to discuss how GDPR will effect your organization and create a tailored management plan.

GDPR stipulations: what you need to know

– Websites that collect data (such as email addresses, customer names, or cookie information) are required to confirm explicit consent from customers for such collection. The purposes for the collection and the duration of time data is kept must be explained in a general policy. Website visitors can request a copy of the data collected on them, including an explanation of how it was used. They may also withdraw consent and request that data be deleted. So if you own a blog with a newsletter mailing list, or if you run an e-commerce website, or if you collect visitor data in any other way, it’ll be wise to use some sort of consent form as well as updatin Save g the privacy policy and/or terms of use on your site. Additionally, you’ll want to review how data is stored, transferred, and deleted to make sure your processes adhere to the standards.

– Data collectors and website managers must consider appropriate security measures such as encryption, as well as ongoing confidentiality of data. A new concept of ‘pseudonymization’ has been introduced for security. This refers to the processing of customer data in a way that the individual cannot be identified without more data. For those who collect and maintain a lot of user data, you’ll want to review exactly what data is collected and verify that it’s being stored according to the new laws.

– When a data breach occurs, data collectors must notify government authorities within 72 hours if the breach is likely to result in a risk to the privacy of those whose data has been collected. In some cases, notification will also need to be sent to the individuals concerned.

– The GDPR lays out new international data transfer rules, including the stipulations that personal data can only be transferred outside of the EU to recipients in countries considered to be adequately safe. (The EU will issue lists of non-adequate countries.)

– Data controllers maintaining user data within the EU must maintain certain documentation, carry out a data protection impact assessment and ensure effective procedures are in place to handle relevant risks.

From the EU’s official site explaining GDPR

I hope this article has been informative and motivational. Whether it’s to avoid legal limbo or just to do the right thing, we advise you to take the new regulations to heart and amend your websites, apps, and the like accordingly. If that task feels daunting, you can always call on the experts to lighten the load! And just to reiterate the importance of online security and proper data handling, I’ll leave you with some of the research we gathered while formulating our new service: